Note that among a sea of tracked browsers, the untrackable browser shines like a bright star.
Statistical analysis of these values over time (matched with client hints, ETags, If-Modified-Since, and IPs) will make most browsers uniquely identifiable.
If the malicious vendor is good, they even correlate the size and order of requests. Because that's unique as well and can identify TOR browsers pretty easily.
It's like saying "I can't be tracked, because I use Linux". Guess what, as long as nobody in your town uses Linux, you are the most trackable person.
I decided to go with the "behave as the statistical norm expects you to behave" and created my browser/scraper [1] and forked WebKit into a webview [2] that doesn't support anything that can be used for tracking; with the idea that those tracking features can be shimmed and faked.
I personally think this is the only way to be untrackable these days. Because let's be honest, nobody uses Firefox with ETP in my town anymore :(
WebKit was a good start of this because at least some of the features were implemented behind compiler flags...whereas all other browsers and engines can't be built without say, WebRTC support, or say, without Audio Worklets which are for themselves enough to be uniquely identified.
Wait, but the case for TOR isn't to hide you are using TOR, but to blend in with the crowd of TOR users. Does my TOR browser give a different fingerprint than yours?
> I mean, at some point you gotta ask yourself why cloudflare shows all TOR users a captcha in a targeted manner :)
Because exit node IP address' are known, you have just said it.
How does it have anything to do with user fingerprinting? And how does it answer the question of @gtsop asking whether different users of ToR web browser have different distinguishable fingerprint or not?
So what? There are plenty of stars in the sky, and if you are farbling [1] your star shimmers differently every time the surveillance-monster glances skyward.
The comment above regurgitates a misconception frequently found on HN: the assumption that the only defense against fingerprinting is to look exactly identical to everybody else. That is incredibly shortsighted.
I didn't review the linked projects, but isn't the "untrackable" browser one that does not implement or spoofs most APIs?
I think it would be, for the most part, trivial to make a text-based or extremely stripped down browser on top of existing projects, if you had the contracts mapped for appropriate code generation. There are IDLs for most Web APIs, so that is a head-start.
I think this would be achievable, but not as a browser that most people would want to use.
Exactly. One of the reasons was that WebKit implements its APIs based on the WebIDL schema files (iirc Firefox does this too since Aurora).
Though the C++ code generator is a real old perl script, it's generally feasible to spoof the APIs as they would behave while providing behaviour profiles of the most commonly used web browsers (e.g. chrome/edge on windows).
The real challenge is to implement behaviour profiles that are also timing specific because some Browsers have different timings in incognito mode vs. normal mode due to how the memory is allocated directly in-RAM. That's usually how incognito mode Browsers are identified by recaptcha.
Statistical analysis of these values over time (matched with client hints, ETags, If-Modified-Since, and IPs) will make most browsers uniquely identifiable.
If the malicious vendor is good, they even correlate the size and order of requests. Because that's unique as well and can identify TOR browsers pretty easily.
It's like saying "I can't be tracked, because I use Linux". Guess what, as long as nobody in your town uses Linux, you are the most trackable person.
I decided to go with the "behave as the statistical norm expects you to behave" and created my browser/scraper [1] and forked WebKit into a webview [2] that doesn't support anything that can be used for tracking; with the idea that those tracking features can be shimmed and faked.
I personally think this is the only way to be untrackable these days. Because let's be honest, nobody uses Firefox with ETP in my town anymore :(
WebKit was a good start of this because at least some of the features were implemented behind compiler flags...whereas all other browsers and engines can't be built without say, WebRTC support, or say, without Audio Worklets which are for themselves enough to be uniquely identified.
[1] https://github.com/tholian-network/stealth
[2] https://github.com/tholian-network/retrokit
(both WIP)